> Hmm. Looking at the Cmm, that program does indeed seem to have some state (!)
There's a lazily initialised table per class, and a branch to see whether it has already been initialised.
[...]
> The bug is indeed the lazy initialisation of classes being picked up by afl-fuzz, and the fix is to ensure that this code is not instrumented. However, class initialisation is pretty hairy, with a bunch of different paths depending on whether the class closes over values, etc.